CVE-2025-71279— XenForo Passkey Security Bypass
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-71279
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
XenForo Passkey Security Bypass
Source: NVD (National Vulnerability Database)
Vulnerability Description
XenForo before 2.3.7 contains a security issue affecting Passkeys that have been added to user accounts. An attacker may be able to compromise the security of Passkey-based authentication.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
认证机制不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Xenforo 授权问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Xenforo是Xenforo公司的一个论坛软件。 XenForo 2.3.7之前版本存在授权问题漏洞,该漏洞源于影响已添加到用户账户的Passkeys,可能导致攻击者破坏基于Passkey的身份验证安全性。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Shenlong Deep Dive — AI Deep Analysis
10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.
Affected Products
II. Public POCs for CVE-2025-71279
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-71279
请登录查看更多情报信息。
Same Patch Batch · XenForo · 2026-04-01 · 10 CVEs total
| CVE-2025-71281 | 8.8 HIGH | XenForo Template Method Call Restriction Bypass |
| CVE-2025-71278 | 8.8 HIGH | XenForo OAuth2 Unauthorized Scope Request |
| CVE-2025-71282 | 7.5 HIGH | XenForo Path Disclosure via open_basedir Exceptions |
| CVE-2026-35056 | 7.2 HIGH | XenForo Remote Code Execution via Authenticated Admin |
| CVE-2026-35054 | 6.4 MEDIUM | XenForo Stored Cross-Site Scripting via BB Code Rendering |
| CVE-2026-35057 | 6.4 MEDIUM | XenForo Stored Cross-Site Scripting via Structured Text Mentions |
| CVE-2024-58342 | 6.3 MEDIUM | XenForo Open Redirect via getDynamicRedirect |
| CVE-2025-71280 | 6.2 MEDIUM | XenForo Local Account Page Caching Information Disclosure |
| CVE-2026-35055 | 6.1 MEDIUM | XenForo Cross-Site Scripting via Lightbox in Posts |
IV. Related Vulnerabilities
Same product: XenForo
- CVE-2026-35057
XenForo Stored Cross-Site Scripting via Structured Text Ment - CVE-2026-35056
XenForo Remote Code Execution via Authenticated Admin - CVE-2026-35055
XenForo Cross-Site Scripting via Lightbox in Posts - CVE-2026-35054
XenForo Stored Cross-Site Scripting via BB Code Rendering - CVE-2025-71282
XenForo Path Disclosure via open_basedir Exceptions
Same vendor: XenForo
- CVE-2026-35057
XenForo Stored Cross-Site Scripting via Structured Text Ment - CVE-2026-35056
XenForo Remote Code Execution via Authenticated Admin - CVE-2026-35055
XenForo Cross-Site Scripting via Lightbox in Posts - CVE-2026-35054
XenForo Stored Cross-Site Scripting via BB Code Rendering - CVE-2025-71282
XenForo Path Disclosure via open_basedir Exceptions
Same weakness: CWE-287
- CVE-2026-8244
Industrial Application Software IAS Canias ERP Login RMI imp - CVE-2026-8216
Industrial Application Software IAS Canias ERP Java RMI Sess - CVE-2026-8214
Industrial Application Software IAS Canias ERP RMI doAction - CVE-2026-42560
auth: Patreon provider assigns the same local user ID to eve - CVE-2026-41070
openvpn-auth-oauth2 returns FUNC_SUCCESS on client-deny, all
V. Comments for CVE-2025-71279
No comments yet